Re: How should I allow salsauthd access to shadow?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/03/2013 06:17 PM, Charles Bradshaw wrote:
> Hi Danial, Thanks for the quick reply.
> 
> Using SELinux Administration under Boolean reveals: Active Module
> Description sasl   Allow sasl to read shadow I check Active for the above,
> restart saslauthd, but NO change: # testsalsauthd -u foo -p foospw 0: NO
> "authentication failed"
> 
> Your sugestioh: # sesearch -A -C | grep saslauthd_read ET allow saslauthd_t
> shadow_t : file { ioctl read getattr lock open } ; [ 
> allow_saslauthd_read_shadow ] ET allow saslauthd_t etc_t : dir { ioctl read
> getattr lock search open } ; [ allow_saslauthd_read_shadow ]
> 
> My problem is essentially that I don't understand SELinux Administration
> GUI or the output from sesearch!
> 
> Why is the boolean not called allow_saslauthd_read_shadow in the GUI? Where
> is the doc for the meaning of output from sesearch?
> 
Man page. sesearch is reading the policy and showing you what is allowed -C
means conditionally.  The E Means it is enabled.

This means that the policy now allows
allow saslauthd_t shadow_t:file { read getattr open };

I don't tend to use the GUI...

So you don't need this in your policy module.

rpm -q selinux-policy


> On the other hand installing: module saslpol 1.1;
> 
> require { type saslauthd_t, shadow_t; class capability { sys_nice
> dac_read_search dac_override }; class process setsched; class file { read
> getattr open }; }
> 
> #============= saslauthd_t ============== allow saslauthd_t self:capability
> { sys_nice dac_override dac_read_search }; allow saslauthd_t self:process
> setsched; allow saslauthd_t shadow_t:file { read getattr open };
> 
> WORKS ( with the aforementioned sasl boolean unchecked).
> 
> BUT is this SAFE? and is it the minimum necessary access permissions?
> 
> I've added the last line in saslpol.te from examining audit.log and a
> second run of audit2allow recommendation! I got NO alerts in, either mode,
> using the version having no last line! Even after SELinux Administration
> GUI, 'Enabled Audit' for additional audit rules, that are normaly not
> reported in the log files.
> 
> Charles Bradshaw
> 
> ################################### On: Thu, 03 Jan 2013 10:59:16 -0500 
> Daniel J Walsh wrote:
> 
>> snippet: Have you tried the  saslauthd_read_shadow  boolean?
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

Judging whether or not something is safe is up to you.  I would prefer that
saslauthd used helper apps or the pam stack for reading /etc/shadow, but it
does not, so if you choose to run saslauthd in the state that needs to read
/etc/shadow, you neeed to five salsauthd this access.

The rules that you have given would allow a hacked saslauthd the ability to
read /etc/shadow, ignore dac controls and change its priority.  Ignoring DAC
controls is not a huge problem, since SELinux would still control what it is
allowed to read and write.  Reading /etc/shadow, would potentially allow it to
upload the /etc/shadow file somewhere or easily run a cracker on the password
entries, which is why we try to prevent as many programs as possible from
reading /etc/shadow.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDm6+gACgkQrlYvE4MpobPMlgCfYGHWxS6k2CMPBONIAEtEXq5p
+nAAoM1Zxyljr1FpTsN+TeeCzWl4l5DV
=+ynG
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux